CVE-2019-25470
Authentication Bypass in eWON Firmware Exposes User Passwords
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ewon | firmware | From 12.2 (inc) to 13.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the eWON firmware to versions later than 13.0, specifically versions 13.1s0 or higher, where the authentication bypass vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'Additionally, upgrading to firmware 13.3s0 or later addresses the weak password encryption scheme.'}, {'type': 'paragraph', 'content': "Until the firmware is updated, restrict network access to the device's web interface to trusted users only and monitor for suspicious POST requests to /wrcgi.bin/wsdReadForm."}, {'type': 'paragraph', 'content': 'Consider changing default usernames and passwords and applying network segmentation to limit exposure.'}] [2]
Can you explain this vulnerability to me?
CVE-2019-25470 is an authentication bypass vulnerability affecting eWON Firmware versions 12.2 through 13.0. Attackers with minimal privileges can exploit the wsdReadForm endpoint by sending specially crafted POST requests containing base64-encoded partial credentials and a manipulated wsdList parameter.
This exploitation allows attackers to extract encrypted passwords for all users on the device. These encrypted passwords can then be decrypted using a hardcoded XOR key embedded in the firmware, effectively exposing sensitive user credentials without requiring valid authentication.
How can this vulnerability impact me? :
This vulnerability allows unauthorized attackers to bypass authentication and retrieve sensitive user data, including encrypted passwords for all users on the affected device.
Because the passwords can be decrypted using a hardcoded XOR key, attackers can gain access to cleartext credentials, potentially leading to unauthorized access to the device and its resources.
Such unauthorized access can compromise the security and integrity of industrial systems relying on the eWON device, potentially leading to data breaches, operational disruptions, or further exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted POST requests sent to the endpoint /wrcgi.bin/wsdReadForm on eWON devices running firmware versions 12.2 to 13.0.'}, {'type': 'paragraph', 'content': 'An attacker sends POST requests containing base64-encoded partial credentials and a manipulated wsdList parameter to extract encrypted passwords.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or command-line utilities to look for POST requests to this specific URL.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture HTTP POST traffic targeting /wrcgi.bin/wsdReadForm.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /wrcgi.bin/wsdReadForm'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint with crafted POST requests containing base64-encoded partial credentials to verify if the device is vulnerable.'}] [1, 2]